Thursday, 27 June 2013

How to block SSH Server Attacks Using DenyHosts

DenyHosts is an open source and free log-based intrusion prevention security program for SSH servers.(Brute Force Attacks).
It is intended to monitor and analyzes SSH server logs for invalid login attempts, dictionary based attacks and brute force attacks by blocking the originating IP addresses by adding an entry to /etc/hosts.deny file on the server and prevents the IP address from making any further such login attempts.

First add EPEL Repository
 

# wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm 

# rpm -ivh epel-release-5-4.noarch.rpm

Verify EPEL Repo
# yum repolist

Then install denyhost
 

# yum install denyhosts

Configuring DenyHosts for Whitelist IP Addresses
 

Once the Denyhosts installed, make sure to whitelist your own IP address, so you will never get locked out. To do this, open a file /etc/hosts.allow,

# vim /etc/hosts.allow
   sshd: public_ip_address
   sshd: local_ip_address

Add the each IP address one-by-one on a separate line, that you never want to block.

Configuring DenyHosts for Email Alerts
 

The main configuration file is located under /etc/denyhosts.conf. This file is used to send email alerts about suspicious logins and restricted hosts.

# vim /etc/denyhosts.conf
Search for the ‘ADMIN_EMAIL‘ and add your email address here to receive email alerts about suspicious logins.


SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5 ---- block each host after the number of failed login attempts has exceeded this value.This value applies to invalid user login attempts
DENY_THRESHOLD_VALID = 10 ---  block each host after the number of failed login attempts has exceeded this value. This value applies to valid user login attempts
DENY_THRESHOLD_ROOT = 1 --- block each host after the number of failed login attempts has exceeded this value.This value applies to "root" user login attempts only.
DENY_THRESHOLD_RESTRICTED = 1 --- block each host after the number of failed login attempts has exceeded this value.This value applies to usernames that appear in the WORK_DIR/restricted-usernames file only.
WORK_DIR = /var/lib/denyhosts --- the path that DenyHosts will use for writing data to # (it will be created if it does not already exist).
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = root
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h


save the entries in config file.

Restart the denyhost service
 

Once you’ve done with your configuration, restart the denyhosts service for new changes. We also add the denyhosts service to system start-up.

# chkconfig denyhosts on
# service denyhosts start

Watch DenyHosts Logs

To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command to view the real-time logs.

# tail -f /var/log/secure

Remove Banned IP Address from DenyHosts

If you’ve ever blocked accidentally and want to remove that banned IP address from the denyhosts.
You need to stop the service.

# /etc/init.d/denyhosts stop

To remove or delete banned IP address completely. You need to edit the following files and remove the IP address.

# vim /etc/hosts.deny
# vim /var/lib/denyhosts/hosts
# vim /var/lib/denyhosts/hosts-restricted
# vim /var/lib/denyhosts/hosts-root
# vim /var/lib/denyhosts/hosts-valid
# vim /var/lib/denyhosts/users-hosts


After removing the banned IP Address, restart the service again.
# /etc/init.d/denyhosts start

[
The offending IP address added to all the files under /var/lib/denyhosts directory,so it’s makes very difficult to determine the which files contain the offending IP address.
One of the best way to find out the IP address using grep command. For example to find out IP address
162.10.25.127, do.

cd /var/lib/denyhosts
grep 162.10.25.127 *

]

Whitelist IP Addresses Permanently in DenyHosts

If you’ve list of static IP address that you want to whitelist permanently. Open the file /var/lib/denyhosts/allowed-hosts file.
Whatever IP address included in this file will not be banned by default (consider this as a whilelist).

# vim /var/lib/denyhosts/allowed-hosts
And add the each IP address on separate line. Save and close the file.

# We mustn't block localhost
127.0.0.1
162.10.25.127162.10.25.128
162.10.25.129

No comments:

Post a Comment